Firewall Queries

kazzer

Which is better a hardware or software firewall?
Can I use both at the same time and is this advisable?
Is the Windows XP firewall (service pack 2) any good or should I go for something else?....any recommendations?


Thanks in advance!

FruitLover

It depends on what you mean by 'better'. It also depends what you're using it for. A hardware firewall will generally come with a warranty, support, etc. It should also be designed with the lowest common denominator in mind, so it'll usually be easy to configure and maintain. On the other hand, you can put together a linux firewall for free (as long as you have the spare hardware lying around) and you'll learn a lot and probably have more control. But, there's a much steeper learning curve and more work involved.

For a home user, the XP built-in firewall isn't a bad start. You'd preferably use a firewall capable of egress filtering (ZoneAlarm for e.g.), in order to protect the rest of the internet if you get hacked/infected, but an incoming filter at least protects against incoming bad traffic. In a network environment, you'd probably be better off having the network behind a dedicated firewall, software or hardware, although it wouldn't hurt to run a relaxed personal firewall on each individual workstation as well.

kazzer

Thanks for replying FruitLover. Im using a wireless adsl modem/router for my IOL broadband connection, I have to admit im a bit confused by the whole firewall thingy! I know my Belkin adsl modem/router has built in firewall so I was hoping thats enough, i just dont want anyone hacking into my system as I intend to leave the router on all day.

You'd preferably use a firewall capable of egress filtering (ZoneAlarm for e.g.), in order to protect the rest of the internet if you get hacked/infected, but an incoming filter at least protects against incoming bad traffic.

Can you explain to me what this means?

Thanks again for your help.

Capt'n Midnight

Best to use both. In general non-windows firewall will beat one running on windows.

Windows uses RPC for way too many things, including communications local to the machine itself - I don't know if vunerabilities like these can undermine a software firewall. Also software takes time to load so some software firewalls take a few seconds to load after network communications have started.

If you are connecting with anything other than a modem eg: broadband , you need an external device, just make sure it has a built in firewall - don't bother with USB adaptors.

At present on broadband a machine will get attacked within 16 minutes. So you could not patch in time.

Fenster

Capt'n Midnight wrote:

Best to use both. In general non-windows firewall will beat one running on windows.

Windows uses RPC for way too many things, including communications local to the machine itself - I don't know if vunerabilities like these can undermine a software firewall. Also software takes time to load so some software firewalls take a few seconds to load after network communications have started.

If you are connecting with anything other than a modem eg: broadband , you need an external device, just make sure it has a built in firewall - don't bother with USB adaptors.

At present on broadband a machine will get attacked within 16 minutes. So you could not patch in time.

This is what I like about a Linux firewall. You can set it to start before networking does.

If you're serious about a firewall, a hardware linux one (I've tried Astaro on an old machine, its pretty nice) is the best you can get, but they're generally a bitch to set up unless you know your scripting back to front.

FruitLover

By 'egress filtering', I mean being able to check outbound traffic. All firewalls vet incoming traffic (ingress filtering), but the lack of outgoing traffic checks is the reason for the mass infections of worms like Blaster. Some muppet's PC gets infected, the worm starts sending itself out over the internet with nothing to stop it.

An easy way to get a linux-based external firewall running would be to install SmoothWall or IpCop - these are two free, easy-to-use dedicated firewall-oriented linux distrobutions. You don't have to know anything about linux to install and run these, you can administer them entirely through a web interface.

happydude13

"Shorewall"
for linux based systems is also very good

I've used it with Debian and it's very good.

jessy

Capt'n Midnight wrote:

If you are connecting with anything other than a modem eg: broadband , you need an external device, just make sure it has a built in firewall - don't bother with USB adaptors.

I just bought IBB, still hasent arrived yet:rolleyes:. I didnt Know that you needed a hardware firewall. Why will a software one not do.

test999

Fenster wrote:

This is what I like about a Linux firewall. You can set it to start before networking does.

Sounds like a network/transport layer firewall.
Could anyone here clarify if ZoneAlarm is an application layer or network layer firewall? or both? I've noticed that Kerio can become operational before the OS proper starts up.

@kazzer, I'm certain that MS has provided hooks for av vendors, i.e. AVG;
I was also under the impression that MS has provided hooks for firewall vendors too; by hooks, I mean an interface via the security control panel in xp.
The very basic built in firewall has a lot of things turned off by default, however there are,IIRC, a few things that you probably don't need.

test999

kazzer wrote:

Which is better a hardware or software firewall?

hardware is better for performance reasons, other reasons too.
Software is better for configurability, other reasons too.

kazzer wrote:

Can I use both at the same time and is this advisable?

Using both is a very good idea, but it might be overkill for many people.

kazzer

Thanks for the replies guys.

Using both is a very good idea, but it might be overkill for many people.

Ive just become very conscious of security on the Internet...recently got stung with that modem hijacking scam!

Me modem was trying to dial the Solomon islands or some **** like that! :mad:

Watch out for that **** anyone using dialup out there....

Capt'n Midnight

Dialers - could you use the ISP's phone number as the number to access an outside line ???

Windows loads up network drivers very early on. Win95/98 very bad for this. On an older PC I got 15 ping replies before ZoneAlarm loaded, and have been able to route traffic through a 98 box that had blue screened, and I've seen zonealarm and AV crash many times (remember it takes on average 16 minutes to get probed on broadband).

Rev Hellfire

Its worth noting that some malware will take steps to disable firewalls which is one reason alone to to have a hardware based firewall.
Most dsl modems will have a simple one built in, so as a first step make sure its on. I personally use both a hardware based one and a software one on the windows machine (mainly cos I like to know who's phoning home, he says looking out the window for the black helicopter).